What VPNs Actually Protect (And the Much Bigger Problem They Don't Touch)

VPNs are one of the most heavily marketed privacy products in existence — and one of the most misrepresented. A VPN provides one specific protection: it encrypts your internet traffic between your device and the VPN server, and it substitutes the VPN server's IP address for your own when connecting to websites. These are real benefits with real use cases. They are also dramatically narrower than what the VPN industry's marketing suggests. Meanwhile, the most significant practical privacy threats most people face — data brokers openly selling your home address, stalkers using people-search sites to find you — are completely unaffected by VPN usage.

What a VPN Actually Does

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a VPN server operated by the VPN provider. All traffic from your device routes through this tunnel. From the perspective of websites you visit and services you use, your connection appears to originate from the VPN server's IP address rather than your own.

The three things a VPN genuinely provides are traffic encryption between your device and the VPN server (meaning your ISP cannot see the content of your traffic, only that you're connected to a VPN), IP address masking (websites you visit see the VPN server's IP, not your device's IP), and geographic location spoofing (useful for accessing content restricted to specific regions, such as streaming libraries).

These benefits are real. On public Wi-Fi networks — hotel lobbies, airports, coffee shops — a VPN provides meaningful protection against local network eavesdropping. If you're connecting to sensitive accounts from an untrusted network, a VPN is a reasonable precaution. For journalists, activists, and others who need to access information from politically restricted jurisdictions, a VPN provides meaningful circumvention capability.

The Full List of What VPNs Don't Do

The gap between what VPNs market and what they actually deliver is enormous. Here's the complete picture of what your VPN subscription does not protect against:

Threat	VPN Protects Against?	What Actually Protects Against It
Data broker profiles (home address, relatives, etc.)	✗ No	Data broker opt-outs and removal services
Breached passwords	✗ No	Unique passwords per site + password manager
Phishing attacks	✗ No	Phishing awareness, hardware 2FA
Browser fingerprinting	✗ No	Fingerprint-resistant browsers (Tor, Brave), privacy extensions
Malware on your device	✗ No	Antivirus, software updates, not running untrusted code
Cookies and persistent tracking	✗ No	Browser settings, cookie blockers, private browsing
Social engineering and impersonation	✗ No	Verification procedures, awareness training
Account takeovers	✗ No	Unique passwords, 2FA, hardware security keys
ISP traffic surveillance	✓ Yes	VPN (this is what it's actually good for)
Website IP logging	✓ Partial	VPN hides your real IP; your VPN provider still has it
Public Wi-Fi eavesdropping	✓ Yes	VPN (real use case)
Geographic content restrictions	✓ Yes	VPN (real use case)

The Browser Fingerprinting Problem VPNs Ignore

When you visit a website, your browser silently transmits a fingerprint consisting of dozens of data points: screen resolution, browser version, installed fonts, time zone, language settings, hardware capabilities, installed plugins, and more. The combination of these attributes is often unique — identifying you even without an IP address and even in a private browsing window.

The Electronic Frontier Foundation's Cover Your Tracks tool (coveryourtracks.eff.org) lets you test your browser's fingerprint uniqueness. Most users discover that their browser has a unique fingerprint traceable across sites without any cookies. A VPN does nothing about this. Your browser fingerprint is the same whether you're connected to a VPN or not — it's a property of your browser configuration, not your network connection.

The tools that address browser fingerprinting are: the Tor Browser (standardizes many fingerprint parameters across all users), Brave browser with fingerprinting protection enabled, Firefox with rigorous privacy extensions, and resisting the urge to install browser extensions that expand your fingerprint uniqueness.

The VPN Trust Problem Nobody Talks About

Using a VPN means shifting the entity that can see your traffic from your ISP to your VPN provider. Whether this is an improvement depends entirely on whether your VPN provider is more trustworthy than your ISP — and there are serious reasons to doubt that assumption for many popular VPN services.

In 2021, Kape Technologies — which owns ExpressVPN, CyberGhost, and Private Internet Access — acquired vpnMentor.com, one of the most prominent VPN review sites. vpnMentor's revenue depends heavily on affiliate commissions from VPN sales. The acquisition creates a direct financial interest in favorable reviews of Kape's own products on a site that presents itself as independent journalism. This conflict of interest is not disclosed on vpnMentor.

Beyond ownership conflicts, the "no-log" claims made by many VPN providers have proven unreliable under legal scrutiny. Multiple VPN providers who marketed themselves as "no-log" services have been compelled by court orders to provide user logs to law enforcement — logs they weren't supposed to have. IPVanish and PureVPN are documented examples. When a court order arrives, the legal and business incentives for a VPN company to comply are substantial; the marketing commitment to user privacy is not legally binding.

The VPN providers with the strongest verified track records are those that have undergone independent audits of their no-log policies, have been tested under actual legal pressure, are based in jurisdictions with strong privacy laws, and are not owned by advertising or data companies. Mullvad VPN (Swedish, accepts cash, no account required) and ProtonVPN (Swiss, open source, Proton's broader privacy ecosystem) are the two most commonly cited by security researchers as genuinely trustworthy.

What the VPN Industry's Business Model Tells You

Understanding why VPN marketing is so pervasive requires understanding the economics. A VPN subscription costs $3–12 per month to the consumer. The provider's cost to serve that customer is primarily server bandwidth and infrastructure — typically under $1 per month for average users. Gross margins on VPN subscriptions are extremely high, often 70–80%.

These margins fund enormous marketing budgets. The top VPN providers spend tens to hundreds of millions annually on YouTube sponsorships, podcast ads, influencer partnerships, and affiliate marketing programs. Affiliates who refer a new subscriber earn 30–50% of the subscription price — often $15–40 per conversion. This creates a powerful economic incentive for content creators to recommend VPNs regardless of whether their audience actually needs one.

The result is that VPN marketing reaches enormous audiences with messaging about online privacy — audiences that are genuinely concerned about privacy but may not need a VPN specifically. The marketing fills a legitimate privacy concern with a product that addresses only a narrow subset of that concern, while more impactful measures (data broker removal, password management, 2FA) are dramatically undermarketed because they have worse economics for the affiliate channel.

The Real Privacy Stack (In Order of Impact for Most People)

If you're allocating a fixed privacy budget — in dollars or in attention — here's the priority order based on actual threat reduction, not marketing spend:

1. Data broker removal: Removes your personal information from the databases that stalkers, scammers, and identity thieves actually use. Ongoing cost: $8–20/month for a service, or several hours/year for manual opt-outs. Impact: high — directly addresses the most commonly exploited privacy threat for ordinary people.
2. Unique passwords + password manager: Eliminates credential stuffing attacks across all accounts. Cost: $0–$3/month (Bitwarden is free and excellent). Impact: high — account takeover is the most financially damaging cybercrime for individuals.
3. Two-factor authentication on critical accounts: A hardware security key (YubiKey, ~$50 one-time) or authenticator app eliminates most account takeover risk even if passwords are compromised. Impact: high.
4. Credit freeze at all three bureaus: Free and permanent. Prevents new account fraud, which is better than monitoring for it after the fact. Impact: medium-high for the specific threat of new account fraud.
5. VPN (optional, for specific use cases): Useful if you regularly use public Wi-Fi, need to bypass geographic restrictions, or have legitimate concern about ISP surveillance. For most home internet users, the threat this addresses is relatively low. Impact: low for the majority of people's actual threat models.

When a VPN Is Actually Worth It

VPNs do have genuine use cases where they're the right tool. If you regularly work from cafes, airports, and hotel networks — especially connecting to work systems — a VPN is appropriate. If you're in a country with internet censorship and need to access blocked content, a VPN is often necessary. If you're a journalist, activist, or researcher who has specific concern about ISP-level surveillance of your browsing activity, a VPN adds a meaningful layer. If you want to prevent your ISP from selling your browsing data to advertisers (a practice allowed in the US since 2017), a VPN is one solution.

In these cases, choose carefully. Use Mullvad or ProtonVPN rather than the most heavily advertised options. Pay attention to jurisdiction, audit history, and ownership structure. Don't assume "no-log" claims are reliable without independent verification.